F5 Public Cloud Solutions > 6. Welcome to F5 Agility 2018 – Secure BIG-IP and Application deployments in AWS documentation! > 6.2. Securing your BIG-IP instance in AWS and deploying SSL App Source | Edit on
6.2.1. SSL Security of F5 Management¶
There are some vulnerabilities in the default HTTPS access of the management on the F5 documented here: |K13400|
To protect against this we will disable all non-TLSv1.2 connections to the management by doing the following:
Log in to the SSH of the F5 BIG-IP by using the same method previously used to change admin password:
ssh -i student#-BIG-IP.pem admin@<EIP Host Address for Management network>
Before you change the SSL cipher string, you should review the existing string for your specific BIG-IP version. To list the currently configured cipher string, type the following command:
list /sys httpd ssl-ciphersuite
For example, the BIG-IP 13.1.7 system displays the following cipher string:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA
To restrict Configuration utility access to clients using TLS 1.2 or RC4-SHA ciphers, type the following command:
modify /sys httpd ssl-ciphersuite ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:-TLSv1:-SSLv3:RC4-SHA
Alternatively, if you want to restrict to only TLS 1.1 and TLS 1.2 ciphers, then type the following command instead:
modify /sys httpd ssl-ciphersuite ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:!SSLv3:!TLSv1
Save the configuration change by typing the following command:
save /sys config